Re: Block ack attack causes

Just curious if you were able to find a resolution to this issue.. I have been experiencing the same problem with a Linux based mobile router (InMotion Router OMM).

I have tried turning on BC/MC Optimization, increasing the "Max Transmit Failures" to 20 under the SSID settings. Also tried turning off "Detect Block ACK DoS" under IDS settings.

The device is deleted from the controller causing the connection to drop on the router device. Although the device reports that the wireless connection is fine, no traffic (ping packets in this case) are able to go through. This happens every 1 minute or so which is very disturbing for any continous wireless communication.

Here are some other posts regarding the Block ACK packets but there are no resolutions posted:

Re: Block ack attack causes

‎07-23-201303:17 PM

A number of Block ACK attacks were logged as false positives and this was fixed in 6.1.3.6. You should upgrade to 6.1.3.6 or later to see if the messages still exist. If they still exist or if you still have client issues, please open a support case.

Re: Block ack attack causes

‎03-01-201611:32 AM

It honestly depends on what the alert is and why you have it enabled. Specific to Block ACK, it's very suceptible to clients with bad driver support, or when loads of clients have low SNR. From a WIDS perspective, the threat vector is VERY low (any high security concious customers should be using dot1x to which this attack is only a DoS anyway, akin to generating tons of noise targeted at one client).

So Block ACK, like many other signatures, requires a certain level of 'baselining' your environment first, then adjusting the triggers and thresholds in the controller so that the normal background noise of WIDS alerts is ignored and if there's an 'event' such that the triggers exceeds your modified thresholds, then you may or may not have something to investigate (though if you have an influx of new devices or clients are moving into low coverage areas, it might just be your new 'normal'). Some signatures, if seen, are actionable immediately, others may be trend or environmental without being a 'new threat'. As you may have found out, you can easily overload yourself with things that sound bad that turn out to be nascent, or are just 'normal noise'.

After Atmosphere, I will be writing up a WIDS VRD for AOS, Instant, and AirWave. I have all the moving parts, just not the time to sit and pound it all out, but I would expect the April time frame to expect it. It should have common vernacular descriptions of the signatures, a chart with best practices and recommendations based on your vertical, etc.